Yahoo and Google search being hijacked

Status
Not open for further replies.

PeteU

Posts: 11   +0
I've followed the 8 steps to the best of my knowledge and attached the requested logs.

I utilize Internet Explorer 7 but recently search engines have become hijacked (Yahoo all the time, Google half the time). When I downloaded Firefox yesterday the same problem came up. Prior to the 8 steps I've run scans with symantec, Ad Aware and malware bytes but none of them have removed the problem.

I'm not a techie so any plain language to the greatest extent possible would be appreciated.

Thanks!
 

Attachments

  • SUPERAntiSpyware Scan Log - 04-13-2010 - 12-04-37.log
    77.1 KB · Views: 3
  • hijackthis.log
    8.8 KB · Views: 2
  • mbam-log-2010-04-13 (11-47-05).txt
    866 bytes · Views: 2
Welcome to TechSpot, Pete. I'll help with the malware and I only talk plain language! But let me know if you don't understand anything.

First, you have 2 antivirus programs: Symantec and Avast. Please remove one of them.Multiple AV programs can actually make the system more vulnerable as well as slow it down.

The system has a malware infection called HelpAssistant. It tacks itself on almost all of the files. But there is a program that removes -most-of it:

Please print the instructions below for this program. You will not have access to the directions once you have started

Please download HelpAsst mebroot fix.exe by noahdefrea and save to your desktop
  • Close out all other open programs and windows.
  • Double-click on it to run the tool and follow any prompts.
  • If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
  • Upon restarting, please wait about 5 minutes, go to > Run..., and in the Open dialog box, type: helpasst -mbrt
    Make sure you leave a space between helpasst -mbrt.
  • Click OK or press Enter.
  • HelpAsst fix will create and open a log when done.
  • Copy and paste the contents of that log into your next reply.
In the event the tool does not detect an mbr infection and completes, do this:
  • Go to > Run> in the Open dialog box type: mbr -f
  • Click OK or press Enter.
  • Now, please do the Start > Run > mbr -f command a second time.
  • Shut down the computer (do not restart, but shut it down). Wait about five minutes, then start it back up.
  • After restart go to > Run> in the Open dialog box, type: helpasst -mbrt
    Make sure you leave a space between helpasst and -mbrt.
  • Click OK or press Enter.
  • HelpAsst fix will create and open a log when done.
  • Copy and paste the contents of that log into your next reply.

-- Important note to Dell users: Fixing the mbr may prevent access to the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a few known fixes for this, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually. You will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).
Source: BleepingComputer
=========================
Please follow this with Combofix: Please download ComboFix HERE:
  • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    Important! Save the renamed download to your desktop.
  • Please disable all security programs, such as antiviruses, antispywares, and firewalls.
  • Double click on the setup file on the desktop to run
  • If prompted to download and install the Recovery Console, please do so.
    (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
  • If prompted to update, please allow.
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
Notes:

  • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.
.
====================
And follow that with an online AV scan: Run Eset NOD32 Online AntiVirus Scanner HERE
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the Active X control to install
  • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Antivirus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
Please leave all logs and reports in your next reply.

Please do not run any other cleaning or scanning programs while I am helping you unless I ask you to. Do not use a registry cleaner or make any Registry changes.
 
Thanks. I went ahead and removed one of the programs.

BUT....when I went to HelpAsst mebroot fix.exe , I got a 404 Not Found page.
 
I did get HelpAsst mebroot fix.exe working, but I didn't get a log I could copy. I'm attaching the Combofix and Eset logs.

Got my fingers crossed...
 

Attachments

  • ComboFix.txt
    25.3 KB · Views: 1
  • log.txt
    777 bytes · Views: 1
Sorry about the HelpAssist link- I had an extra word in it. Try this: http://noahdfear.net/downloads/HelpAsst/HelpAsst_mebroot_fix.exe.

Before you run this, please be sure all of the security is disabled. Symantec Endpoint is just the 'real time' process. You should disable the rest of the program and AdAware before running:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code:
File::
c:\windows\system32\Drivers\Winty16.sys
c:\windows\system32\drivers\ae1a3e1e.sys
c:\program files\Viewpoint\Common\ViewpointService.exe

Folder::
c:\program files\Alwil Software

Extra::
File::
c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
Firefox::
Firefox-: Profile-  c:\documents and settings\associate\Application Data\Mozilla\Firefox\Profiles\kh618g10.default\

Registry::

Driver::
Winty16.sys
ae1a3e1e.sys
Viewpoint Manager Service
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.

I have "assumed" that you forgot you installed c:\program files\Alwil Software in 2008-07-30 so I have included it in the removal. This is Avast antivirus.
I also see an entry for Sunbelt: c:\windows\system32\drivers\SBREDrv.syson 2010-02-17. Since they put out security software, you might want to check and see what it is.I didn't include it in the script.
 
Status
Not open for further replies.
Back